User authentication techniques generally require that a given user present a password or other predetermined credential(s) in order to gain access to a protected resource, such as a personal computing device. For example, in a typical two-factor authentication technique, a user is equipped with an authentication token. The authentication token may be implemented as a small, hand-held device that displays a series of passwords over time. A user equipped with such an authentication token reads the currently displayed password and enters it into a user interface of the personal computing device as part of an authentication operation. The user is also generally required to enter a personal identification number (PIN). Two-factor authentication is thus based on something the user has (e.g., the authentication token) and something the user knows (e.g., the PIN). One particular example of an authentication token is the RSA SecurID® user authentication token, commercially available from RSA, The Security Division of EMC Corporation, of Bedford, Mass., U.S.A.
A problem that can arise with conventional authentication techniques is that the user may not always have the required credentials readily available. For example, in the two-factor technique described above, a user may have lost or misplaced the authentication token, and/or may have forgotten the PIN. Other types of authentication techniques, including one-factor authentication techniques which require only the entry of a single PIN or password, are similarly impacted by this problem.
Typical approaches to controlling access to protected resources when users have lost or forgotten their credentials include sending the missing credentials or new credentials via email or other out-of-band channels, asking “life questions” or “challenge questions,” or relying on user properties such as biometrics. However, each of these conventional approaches has a number of significant drawbacks.
For example, the sending of missing or new credentials via email or other out-of-band channels may require that the user had previously registered his or her contact information with a service provider and further that the user has an ability to receive messages from that service provider despite not having access to the protected resource. These required conditions are not met in many situations, such as a typical scenario in which a user has forgotten a password to a personal computing device such as a personal computer (PC) or mobile telephone. Also, the requirement for remote storage of personal information may introduce privacy concerns. Out-of-band channel arrangements in which the user needs to contact an administrator to receive an emergency access password or a replacement token are costly and time-consuming for both the user and the administrator.
The asking of “life questions” or “challenge questions” also has drawbacks. Life questions are usually based on information gathered by a service provider from public records, while challenge questions are usually based on information submitted in advance by a user. However, both types of questions assume that the user has network connectivity at the time of the access attempt, which may not be the case in many situations, such as the typical scenario noted above where the user has forgotten the password to his or her PC. Also, there may be substantial costs associated with the service provider obtaining access to public records for answers to life questions or storing user-supplied answers to challenge questions. In addition, there are privacy concerns based on service provider storage and maintenance of such information. Furthermore, the security provided by such arrangements is limited in that others may be able to determine the answers from known information about the user.
The use of biometrics is typically as a primary authentication technique rather than as a backup in case of missing credentials. Although it is unlikely that a biometric such as a fingerprint, retina or voice will not be available to its corresponding user, it is possible, as in the case of a temporary condition such as a bandaged finger, an eye infection or laryngitis. Also, biometric systems are costly and have complex setup requirements. Furthermore, such systems generally provide limited security relative to their cost.
It is therefore apparent that a need exists for improved user authentication techniques which do not require presentation of a predetermined credential such as a PIN or other type of password, and which avoid the drawbacks of the above-described conventional approaches to dealing with lost or forgotten credentials.